Hi, I got a new server with Ubuntu 8.04.1. I followed this manual https://help.ubuntu.com/community/IptablesHowTo to setup my iptables rules, they are loaded fine after the server is being rebooted but after about 5 mins the rules are reset to the default values. I also have this issue after setting up the rules and when loading them from the file /etc/iptables.rules.

For example:
sudo iptables-restore < /etc/iptables.rules
sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
DROP all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix `iptables denied: '

Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere

But after about 5 mins I get the following output.
sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Here are the contents of my /etc/iptables.rules file:
cat /etc/iptables.rules
# Generated by iptables-save v1.3.8 on Wed Oct 8 16:17:01 2008
*filter
:INPUT ACCEPT [184:15853]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [29:2844]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -j DROP
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A FORWARD -j DROP
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Wed Oct 8 16:17:01 2008


Where can I look to disable this odd behavior?

Thanks in advance.

I'm no where near an iptables expert, but basically from what I can tell from you scripts you're not blocking anything, so your results would be the same as no rules at all. if I remember correctly you should start with blocking all ports then open just the ports you need. One thing to remember is that block all should come first, before you start opening ports. Firewall rules are order sensitive.In other words block everything first, then allow if the right conditions are met and then allow unrestricted access.

Jim

I'm no where near an iptables expert, but basically from what I can tell from you scripts you're not blocking anything, so your results would be the same as no rules at all. if I remember correctly you should start with blocking all ports then open just the ports you need. One thing to remember is that block all should come first, before you start opening ports. Firewall rules are order sensitive.In other words block everything first, then allow if the right conditions are met and then allow unrestricted access.

Jim

He is doing things in correct order. His last rules are:

-A INPUT -j DROP
-A FORWARD -j DROP

Look at the output of iptables -L -n the rules are evaluated from the top down. -A is for append.


BTW -- I don't know the answer to your question -- But I do like your rule set -- Simple and concise. The only thing that I would consider adding is specific UDP rules for DNS.

Thank you cariboo907 and iponeverything.

I asked the host provider about this and the problem was that they included APF firewall when installing the server, here's part of their response:
Your order specify APF firewall. The configuration file of this firewall (/etc/apf/conf.apf) includes an option (DEVEL_MODE=1, more details in the above specified file). The option activate a cronjob command that reset the iptables rules, so this is the cause of your rules being flushed.

@iponeverything: Is good to know I did things in the correct way, I will check about the UDP rules for DNS.

Your rate limit line is after your -j DROP line, so there will be no rate limiting going on.

@The Cog: Thanks I fixed that. I review again the tutorial and the log line with the limit comes before the drop line, so I think I was not logging anything with my previous setup, is that correct?

I just switched from windows a couple of weeks ago, so I still have the windows mentality, but I like GUIs.

There are some GUI's to configure your firewall.

2 of them are:

Firestarter - found in Ubuntu repositories


Gufw - found here http://gufw.tuxfamily.org/index.html (http://gufw.tuxfamily.org/index.html)